This article was downloaded by: [US Army War College]On: 01 October 2014, At: 07:07Publisher: RoutledgeInforma Ltd Registered in England and Wales Registered Number: 1072954Registered office: Mortimer House, 37-41 Mortimer Street, London W1T 3JH,UK

Journal of Strategic StudiesPublication details, including instructions for authorsand subscription information:http://www.tandfonline.com/loi/fjss20

Cyber War Will Not Take PlaceThomas Rid aa King's College London , UKPublished online: 05 Oct 2011.

To cite this article: Thomas Rid (2012) Cyber War Will Not Take Place, Journal ofStrategic Studies, 35:1, 5-32, DOI: 10.1080/01402390.2011.608939

To link to this article: http://dx.doi.org/10.1080/01402390.2011.608939

PLEASE SCROLL DOWN FOR ARTICLE

Taylor & Francis makes every effort to ensure the accuracy of all theinformation (the “Content”) contained in the publications on our platform.However, Taylor & Francis, our agents, and our licensors make norepresentations or warranties whatsoever as to the accuracy, completeness, orsuitability for any purpose of the Content. Any opinions and views expressedin this publication are the opinions and views of the authors, and are not theviews of or endorsed by Taylor & Francis. The accuracy of the Content shouldnot be relied upon and should be independently verified with primary sourcesof information. Taylor and Francis shall not be liable for any losses, actions,claims, proceedings, demands, costs, expenses, damages, and other liabilitieswhatsoever or howsoever caused arising directly or indirectly in connectionwith, in relation to or arising out of the use of the Content.

This article may be used for research, teaching, and private study purposes.Any substantial or systematic reproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in any form to anyone is expressly

forbidden. Terms & Conditions of access and use can be found at http://www.tandfonline.com/page/terms-and-conditions

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

Cyber War Will Not Take Place

THOMAS RID

King’s College London, UK

ABSTRACT For almost two decades, experts and defense establishments theworld over have been predicting that cyber war is coming. But is it? This articleargues in three steps that cyber war has never happened in the past, that cyberwar does not take place in the present, and that it is unlikely that cyber war willoccur in the future. It first outlines what would constitute cyber war: apotentially lethal, instrumental, and political act of force conducted throughmalicious code. The second part shows what cyber war is not, case-by-case. Notone single cyber offense on record constitutes an act of war on its own. The finalpart offers a more nuanced terminology to come to terms with cyber attacks. Allpolitically motivated cyber attacks are merely sophisticated versions of threeactivities that are as old as warfare itself: sabotage, espionage, and subversion.

KEY WORDS: Cyber-Security, Cyber War, Sabotage, Subversion, Espionage,Stuxnet, Information Operations

In the mid-1930s, inspired by the lead-up to World War I, the Frenchdramatist Jean Giraudoux wrote a famous play, La guerre de Troien’aura pas lieu, the Trojan War will not take place. The Englishplaywright Christopher Fry translated the two acts in 1955 as Tiger atthe Gates.1 The plot is set inside the gates of the city of Troy. Hector, adisillusioned Trojan commander, tries to avoid in vain what the seerCassandra has predicted to be inevitable: war with the Greeks.Giraudoux was a veteran of 1914 and later worked in the Frenchforeign office. His tragedy is an eloquent critique of Europe’s leaders,diplomats, and intellectuals who were, again, about to unleash the dogsof war. The play premiered in November 1935 in the Theatre del’Athenee in Paris, almost exactly four years before the dramatist’s fearswould come true.

Judging from present pronouncements about cyber war, the worldseems to be facing another 1935-moment. ‘Cyberwar is Coming!’declared the RAND Corporation’s John Arquilla and David Ronfeldt in

1Jean Giraudoux, Tiger at the Gates (La Guerre De Troie N’aura Pas Lieu), translatedby Christopher Fry (New York: OUP 1955).

The Journal of Strategic StudiesVol. 35, No. 1, 5–32, February 2012

ISSN 0140-2390 Print/ISSN 1743-937X Online/12/010005-28 � 2012 Taylor & Francis

http://dx.doi.org/10.1080/01402390.2011.608939

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

1993.2 It took a while for the establishment to catch on. ‘Cyberspace isa domain in which the Air Force flies and fights’, announced MichaelWynne, a US Air Force Secretary, in 2006. Four years later thePentagon leadership joined in. ‘Although cyberspace is a man-madedomain’, wrote William Lynn, America’s Deputy Secretary of Defense,in a 2010 Foreign Affairs article, it has become ‘just as critical tomilitary operations as land, sea, air, and space’.3 In the same year,Richard Clarke, the White House’s former cyber tsar, invokedcalamities of a magnitude that make 9/11 pale in comparison andurged taking a number of measures ‘simultaneously and now to avert acyber war disaster’.4 In February 2011, then-Central IntelligenceAgency Director Leon Panetta warned the House Permanent SelectCommittee on Intelligence: ‘The next Pearl Harbor could very well be acyber attack.’5 That year a highly sophisticated computer worm mayhave significantly damaged the Iranian nuclear enrichment program atNatanz. One much-noted investigative article in Vanity Fair concludedthat the event foreshadowed the destructive new face of twenty-firstcentury warfare, ‘Stuxnet is the Hiroshima of cyber-war.’6

But is it? Are the Cassandras of cyber warfare on the right side ofhistory? Is cyber war really coming? This article argues that cyber warwill not take place. That statement does not come with a Giraudouxiantwist and irony. It is meant literally – as a statement about the past, thepresent, and the likely future: Cyber war has never happened in thepast. Cyber war does not take place in the present. And it is highlyunlikely that cyber war will occur in the future. Instead, all past andpresent political cyber attacks are merely sophisticated versions of threeactivities that are as old as warfare itself: subversion, espionage, andsabotage. That is improbable to change in the years ahead.

The argument is presented in three steps. The first part outlines whatcyber war is. Any attempt to answer the question of cyber war has tostart conceptually. An offensive act has to meet certain criteria in orderto qualify as an act of war. Any act of war has to have the potential tobe lethal; it has to be instrumental; and it has to be political. The secondpart outlines what cyber war is not, case-by-case. Not one single pastcyber offense, neither a minor nor a major one, constitutes an act ofwar on its own. This finding raises an immediate question, what these

2John Arquilla and David Ronfeldt, ‘Cyberwar is Coming!’, Comparative Strategy 12/2(1993), 141–65.3William J. Lynn, ‘Defending a New Domain’, Foreign Affairs 89/5 (2010), 101.4Richard A. Clarke, and Robert K. Knake, Cyber War (New York: Ecco 2010), 261.5Lisa Daniel, ‘Panetta: Intelligence Community Needs to Predict Uprisings’, AmericanForces Press Service, 11 Feb. 2011.6Michael Joseph Gross, ‘A Declaration of Cyber-War’, Vanity Fair, April 2011.

6 Thomas Rid

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

events actually are, if they are not war. The final part thereforeconstructively offers a more nuanced terminology to come to termswith cyber attacks. Political offenses – events between apolitical crimeon the one end of the spectrum and real war on the other end – mayhave the aim of subverting, spying, or sabotaging. All cyber offenses ofthe past and current years fall into these three classes of activities. Thearticle concludes by pointing out trends, risks, and recommendations.

What is Cyber War?

Clausewitz still offers the most concise concept of war. It has threemain elements. Any aggressive or defensive action that aspires to be astand-alone act of war, or may be interpreted as such, has to meet allthree criteria. Past cyber attacks do not.

The first element is war’s violent character. ‘War is an act of force tocompel the enemy to do our will’, wrote Carl von Clausewitz on thefirst page of On War.7 All war, pretty simply, is violent. If an act is notpotentially violent, it is not an act of war. Then the term is diluted anddegenerates to a mere metaphor, as in the ‘war’ on obesity or the ‘war’on cancer. A real act of war is always potentially or actually lethal, atleast for some participants on at least one side. Unless physical violenceis stressed, war is a hodgepodge notion, to paraphrase Jack Gibbs.8 InClausewitz’s thinking, violence is the pivotal point of all war. Bothenemies – he usually considered two sides – would attempt to escalateviolence to the extreme, unless tamed by friction, imponderables, andpolitics.9

The second element highlighted by Clausewitz is war’s instrumentalcharacter. An act of war is always instrumental. To be instrumental,there has to be a means and an end. Physical violence or the threat offorce is the means. The end is to force the enemy to accept theoffender’s will. Such a definition is ‘theoretically necessary’, Clausewitz

7Carl von Clausewitz, Vom Kriege (Berlin: Ullstein 1832, 1980), 27.8One of the most creative and important theoreticians of deterrence, Jack Gibbs, oncepointed out that fear and the threat of force are integral ingredients of deterrence,‘Unless threat and fear are stressed, deterrence is a hodgepodge notion.’ Jack P. Gibbs,‘Deterrence Theory and Research’, in Gary Melton, Laura Nader and Richard A.Dienstbier (eds), Law as a Behavioral Instrument (Lincoln: Univ. of Nebraska Press1986), 87.9Thomas Mahnken, in a useful conceptual appraisal of cyber war, also usesClausewitz’s definition of war as violent, political, and ‘interactive’, and argues thatthe basic nature of war was neither fundamentally altered by the advent of nuclearweapons nor by cyber attack. Thomas G. Mahnken, ‘Cyber War and Cyber Warfare’,in Kristin Lord and Travis Sharp (eds), America’s Cyber Future: Security and Prosperityin the Information Age, Vol. 2 (Washington DC: CNAS 2011), 53–62.

Cyber War Will Not Take Place 7

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

argued.10 To achieve the end of war, one opponent has to be rendereddefenseless. Or, to be more precise: the opponent has to be brought intoa position, against his will, where any change of that position broughtabout by the continued use of arms would bring only moredisadvantages for him, at least in that opponent’s view. Completedefenselessness is only the most extreme of those positions. Bothopponents use violence in this instrumental way, shaping each other’sbehavior, giving each other the law of action, in the words of thePrussian philosopher of war.11 The instrumental use of means takesplace on tactical, operational, strategic, and political levels. The higherthe order of the desired goal, the more difficult it is to achieve. AsClausewitz put it, in the slightly stilted language of his time: ‘Thepurpose is a political intention, the means is war; never can the meansbe understood without the purpose.’12 This leads to another centralfeature of war.

The third element that Clausewitz identified is war’s political nature.An act of war is always political. The objective of battle, to ‘throw’ theenemy and to make him defenseless, may temporarily blind comman-ders and even strategists to the larger purpose of war. War is never anisolated act. War is never only one decision. In the real world, war’slarger purpose is always a political purpose. It transcends the use offorce. This insight was captured by Clausewitz’s most famous phrase,‘War is a mere continuation of politics by other means.’13 To bepolitical, a political entity or a representative of a political entity,whatever its constitutional form, has to have an intention, a will. Thatintention has to be articulated. And one side’s will has to be transmittedto the adversary at some point during the confrontation (it does nothave to be publicly communicated). Any violent act and its largerpolitical intention also has to be attributed to one side at some pointduring the confrontation. History does not know acts of war withouteventual attribution.

One modification is significant before applying these criteria to cyberoffenses. A pivotal element of any warlike action remains the ‘act offorce’. That act of force is usually rather compact and dense, even whenits components are analyzed in detail. In most armed confrontations, bethey conventional or unconventional, the use of force is more or lessstraightforward: it may be an F-16 striking targets from the air, artillery

10Clausewitz, Vom Kriege, 29.11‘[Der Gegner] gibt mir das Gesetz, wie ich es ihm gebe’, ibid., 30.12Ibid., 35.13In Vom Kriege, Clausewitz uses similar phrases a few times. This quote is atranslation of the heading of Book 1, Chapter 24, ‘Der Krieg ist einer bloße Fortsetzungder Politik mit anderen Mitteln’, ibid., 44.

8 Thomas Rid

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

barrages, a drone-strike, improvised explosive devices placed by theside of a road, even a suicide bomber in a public square. In all thesecases, a combatant’s or insurgent’s triggering action – say pushing abutton or pulling trigger – will rather immediately and directly result incasualties, even if a timer or a remote control device is used, such as adrone or a cruise missile, and even if a programmed weapon system isable to semi-autonomously decide which target to engage or not.14 Anact of cyber war would be an entirely different game.

In an act of cyber war, the actual use of force is likely to be a far morecomplex and mediated sequence of causes and consequences thatultimately result in violence and casualties.15 One often-invokedscenario is a Chinese cyber attack on the United States homeland incase of a political crisis in, say, the Taiwan Strait. The Chinese couldblanket a major city with blackout by activating so-called logic-bombsthat were pre-installed in America’s electricity grid. Financial informa-tion on a massive scale could be lost. Derailments could crash trains.Air traffic systems and their backups could collapse, leaving hundredsof planes aloft without communication. Industrial control systems ofhighly sensitive plants, such as nuclear power stations, could bedamaged, potentially leading to loss of cooling, meltdown, andcontamination.16 As a result, people could suffer serious injuries orbe killed. Military units could be rendered defenseless. In such ascenario, the causal chain that links somebody pushing a button tosomebody else being hurt is mediated, delayed, and permeated bychance and friction. Yet such mediated destruction caused by a cyberoffense could, without doubt, be an act of war, even if the means werenot violent, only the consequences.17 Moreover, in highly networkedsocieties, non-violent cyber attacks could cause economic consequenceswithout violent effects that then could exceed the harm of an otherwisesmaller physical attack.18 For one thing, such scenarios have causedwidespread confusion, ‘Rarely has something been so important and sotalked about with less clarity and less apparent understanding than this

14This statement is not statement about the different levels of war: connecting betweenthe political, strategic, operation, and tactical levels always remains a challenge.15This problem has been extensively discussed also among legal scholars. For anexcellent recent overview, see Matthew C. Waxman, ‘Cyber-Attacks and the Use ofForce’, The Yale Journal of International Law 36 (2011), 421–59.16For a particularly vividly told scenario, see the opening scene of Clarke and Knake,Cyber War.17See, for instance, Yoram Dinstein, ‘Computer Network Attacks and Self-Defense’,International Law Studies 76 (2002), 103. Arguing from a legal perspective, Dinsteinalso stresses ‘violent consequences’.18More on this argument, Waxman, ‘Cyber-Attacks and the Use of Force’, 436.

Cyber War Will Not Take Place 9

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

phenomenon’, commented Michael Hayden, formerly director ofthe CIA as well as the National Security Agency (NSA).19 Andsecond, to date all such scenarios have another major shortfall: theyremain fiction, not to say science fiction.

Not Cyber War

If the use of force in war is violent, instrumental, and political, thenthere is no cyber offense that meets all three criteria. But more thanthat, there are very few cyber attacks in history that meet only one ofthese criteria. It is useful to consider the most-quoted offenses case-by-case, and criterion-by-criterion.

The most violent ‘cyber’ attack to date is likely to be a Siberianpipeline explosion – if it actually happened. In 1982, an Americancovert operation allegedly used rigged software to cause a massivepipeline explosion in Russia’s Urengoy–Surgut–Chelyabinsk pipeline,which connected the Urengoy gas fields in Siberia across Kazakhstan,then Russia, to European markets. The gigantic pipeline projectrequired sophisticated control systems, for which the Soviet operatorshad to purchase computers on the open markets. The Russian pipelineauthorities tried to acquire the necessary Supervisory Control and DataAcquisition software, known as SCADA, from the United States andwere turned down. The Russians then attempted to get the softwarefrom a Canadian firm. The CIA is said to have succeeded in insertingmalicious code into the control system that ended up being installed inSiberia. The code that controlled pumps, turbines, and valves wasprogrammed to operate normally for a time and then ‘to reset pumpspeeds and valve settings to produce pressures far beyond thoseacceptable to pipeline joints and welds’, recounted Thomas Reed, anofficial in the National Security Council at the time.20 In June 1982, therigged valves probably resulted in a ‘monumental’ explosion and firethat could be seen from space. The US Air Force allegedly rated theexplosion at three kilotons, equivalent to a small nuclear device.21 Butwhen Reed’s book came out in 2004, Vasily Pchelintsev, a former KGBhead of the Tyumen region where the alleged explosion was supposedto have taken place, denied the story. He surmised that Reed could havereferred to an explosion that happened not in June but on a warm Aprilday that year, 50 kilometers from the city of Tobolsk, caused by

19Michael V. Hayden, ‘The Future of Things ‘‘Cyber’’’, Strategic Studies Quarterly 5/1(Spring 2011) 3.20Thomas C. Reed, At the Abyss (New York: Random House 2004), 268–9.21Clarke and Knake, Cyber War, 93.

10 Thomas Rid

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

shifting pipes in the tundra’s melting ground. No one was hurt inthat explosion.22

There are no media reports from 1982 that would confirm Reed’salleged explosion, although regular accidents and pipeline explosions inthe USSR were reported in the early 1980s. Even after the CIAdeclassified the so-called Farewell Dossier, which described the effort toprovide the Soviet Union with defective technology, the agency did notconfirm that such an explosion took place. If it happened, it is unclear ifthe explosion resulted in casualties. The available evidence on the eventis so thin and questionable that it cannot be counted as a proven case ofa successful logic bomb. This means that there is no known cyberattack that unequivocally meets Clausewitz’s first criterion: violence.No cyber offense has ever caused the loss of human life. No cyberoffense has ever injured a person. No cyber attack has ever damaged abuilding.23

Another oft-quoted example of cyber war is an attack on Estonia thatbegan in late April 2007. Estonia at the time was one of the world’smost connected nations; two thirds of all Estonians used the Internetand 95 percent of banking transactions were done electronically.24 Thesmall and well-wired Baltic country was relatively vulnerable to cyberattacks. The story started about two weeks before 9 May, a highlyemotional day in Russia when the victory against Nazi Germany isremembered. With indelicate timing, authorities in Tallinn decided tomove the two-meter Bronze Soldier, a Russian World War II memorialof the Unknown Soldier, from the center of the capital to its outskirts.The Russian-speaking populations as well as neighboring Russia wereaghast. On 26 and 27 April, Tallinn saw violent street riots, with 1,300arrests, 100 injuries, and one fatality.

The street riots were accompanied by online riots. The cyber attacksstarted in the late hours of Friday 27 April. Initially the attackers usedrather inept, low-technology methods, such as ping floods and simpledenial of service attacks. Then the attacks became slightly moresophisticated. Starting on 30 April, simple botnets were used to

22Anatoly Medetsky, ‘KGB Veteran Denies CIA Caused ’82 Blast’, Moscow Times, 18March 2004.23An accidental gasoline explosion that occured in Bellingham, WA on 10 June 1999, issometimes named as a violent cyber incident; three youths were killed. Although therelevant SCADA system was found directly accessible by dial-in modem, no evidence ofhacking was uncovered in the official government report. See, National TransportationSafety Board, ‘Pipline Rupture and Subsequent Fire in Bellingham, Washington, June10, 1999’, Pipeline Accident Report NTSB/PAR-02/02 (Washington DC, 2002), 64.24Eneken Tikk, Kadri Kaska and Liis Vihul, International Cyber Incidents (Tallinn:CCDCOE 2010), 17.

Cyber War Will Not Take Place 11

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

increase the volume of distributed denial of service (DDoS) attacks, andthe timing of these collective attacks was increasingly coordinated.Other types of nuisances included email and comment spam as well asthe defacement of the Estonian Reform Party’s website. Estoniaexperienced what was then the worst-ever DDoS. The attacks camefrom an extremely large number of hijacked computers, up to 85,000;and the attacks went on for an unusually long time, for three weeks,until 19 May. The attacks reached a peak on 9 May, when Moscowcelebrates Victory Day. Fifty-eight Estonian websites were down atonce. The online services of Estonia’s largest bank, then known asHansapank, were unavailable for 90 minutes on 9 May and for twohours a day later.25 The effect of these coordinated online protests onbusiness, government, and society was noticeable, but ultimately itremained minor. The main long-term consequence of the attack wasthat the Estonian government succeeded in getting the North AtlanticTreaty Organization (NATO) to establish a permanent agency inTallinn, the Cooperative Cyber Defence Centre of Excellence.

A few things are notable about the attack. It remained unclear whowas behind the attacks. Estonia’s defense minister as well as thecountry’s top diplomat pointed their fingers at the Kremlin. But theywere unable to muster evidence, retracting earlier statements thatEstonia had been able to trace the Internet Provider addresses of somecomputers involved in the attack back to the Russian government.Neither experts from the Atlantic Alliance nor from the EuropeanCommission were able to identify Russian fingerprints in theoperations. Russian officials called accusations of involvement ‘un-founded’.26

Keeping Estonia’s attack in perspective is important. MihkelTammet, an official in charge of Information Computer Technology(ICT) for the Estonian Ministry of Defense, described the time leadingup to the launch of the attacks as a ‘gathering of botnets like agathering of armies’.27 Andrus Ansip, then Estonia’s prime minister,asked, ‘What’s the difference between a blockade of harbors or airportsof sovereign states and the blockade of government institutions and

25These disruptions were the worst of the entire ‘cyber war’ according to ibid., 20.26‘Estonia has no evidence of Kremlin involvement in cyber attacks’, Ria Novosti, 6Sept. 2007. It should also be noted that Russian activists and even a State DumaDeputy (although perhaps jokingly) have claimed to be behind the attacks, see GadiEvron, ‘Authoritatively, Who was Behind the Estonian Attacks?’ Darkreading, 17March 2009. See also, Gadi Evron, ‘Battling Botnets and Online Mobs’, Science &Technology (Winter/Spring 2008), 121–8.27Tim Espiner, ‘Estonia’s cyberattacks: lessons learned, a year on’, ZDNet UK, 1 May2008.

12 Thomas Rid

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

newspaper websites?’28 It was of course a rhetorical question. Yet theanswer is simple: unlike a naval blockade, the mere ‘blockade’ ofwebsites is not violent, not even potentially; unlike a naval blockade,the DDoS attack was not instrumentally tied to a tactical objective, butan act of undirected protest; and unlike ships blocking the way, thepings remained anonymous, without political backing. Ansip couldhave asked what the difference was between a large populardemonstration blocking access to buildings and the blocking ofwebsites. The comparison would have been better, but still flawed foran additional reason: many more actual people have to show up for agood old-fashioned demonstration than for a DDoS attack.

A year later a third major event occurred that would enter theCassandra’s tale of cyber war. The context was a ground war betweenthe Russian Federation and Georgia in August 2008. The short armedconfrontation was triggered by a territorial dispute over South Ossetia.On 7 August, the Georgian Army reacted to provocations by attackingSouth Ossetia’s separatist forces. One day later, Russia respondedmilitarily. Yet the computer attack on the Georgian websites startedslowly on 29 July, ten days before the military confrontation and withit the main cyber attack started on 8 August. It may have been the firsttime an independent cyber attack happened in synchronization with aconventional military operation. The cyber attacks on Georgiacomprised three types.

Some of the country’s prominent websites were defaced, for instancethat of Georgia’s national bank and the ministry of foreign affairs. Themost notorious defacement was a collage of portraits juxtaposing AdolfHitler and Mikheil Saakashvili, the Georgian president.

The second type of offence were denial-of-service attacks againstwebsites in the Georgian public and private sectors, includinggovernment websites, like the parliament, but also news media,Georgia’s largest commercial bank, and other minor websites. Theattacks, on average, lasted around two hours and 15 minutes, thelongest up to six hours.29

A third method was an effort to distribute malicious software todeepen the ranks of the attackers and the volume of attacks. VariousRussian-language forums helped distribute scripts that enabled thepublic to take action, even posting the attack script in an archived

28A-$0%) g+j!(-, R1%-(? aj+%6ra?, ‘}+%r20j--a? !jl!a,’ Bedolocmu [AndreyZlobin and Xenia Boletskaya, ‘E-bomb’, Vedomosti] 28 May 2007, 5http://bitly.com/g1M9Si4.29The intensity of the attacks was high, with traffic reaching 211.66 Mbps on average,peaking at 814.33 Mbps, see Jose Nazario, ‘Georgia DDoS Attacks – A QuickSummary of Observations’, Security to the Core (Arbor Networks), 12 Aug. 2008.

Cyber War Will Not Take Place 13

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

version, war.rar, which prioritized Georgian government websites. In asimilar vein, email addresses of Georgian politicians were spammed.

The effects of the attack were again rather small. Despite the warlikerhetoric by the international press, by the Georgian government, and byanonymous hackers, the attacks were not violent. And Georgia, a smallcountry with a population of about 4.5 million, was even lessvulnerable to attacks than Estonia; web access was relatively low andfew vital services like energy, transportation, or banking were tied tothe Internet. The attack had little effect beyond making a number ofGeorgian government websites temporarily inaccessible. The attackwas also only minimally instrumental. The attack’s main damage wasin limiting the government’s ability to communicate internationally andmaking the small country’s voice heard at a critical moment. If theattackers intended this effect, its utility was limited: the foreign ministrytook the rare step, with Google’s permission, to set up a weblog onBlogger, the company’s blogging platform. This helped keep one morechannel to journalists open. The National Bank of Georgia ordered allbranches to stop offering electronic services for ten days. Mostimportantly, the attack was not genuinely political in nature. As inthe Estonian case, the Georgian government blamed the Kremlin. ButRussia again denied official sponsorship of the attacks. NATO’sTallinn-based cyber security center published a report on the Georgiaattacks. Although the attacks appeared coordinated and instructed, andalthough the media were pointing fingers at Russia, ‘there is noconclusive proof of who is behind the DDoS attacks’, NATOconcluded, ‘as was the case with Estonia’.30

The cyber scuffles that accompanied the street protests in Estonia andthe short military ground campaign in Georgia were precedents.Perhaps the novelty of these types of offenses was the main reason fortheir high public profile and the warlike rhetoric that surrounded them.The same observation might be true for another type of ‘cyber war’,high-profile spying operations. An early example is ‘Moonlight Maze’.That lurid name was given to a highly classified cyber-espionageincident discovered in 1999. The US Air Force coincidentallydiscovered the intrusion into its network. The Federal Bureau ofInvestigation (FBI) was alerted. The federal investigators called in theNSA. An investigation uncovered a pattern of intrusion into computers

30Eneken Tikk, Kadri Kaska, Kristel Runnimeri, Mari Kert, Anna-Maria Taliharm andLiis Vihul, Cyber Attacks against Georgia (Tallinn: CCDCOE 2008), 12. Jeffrey Carr,a cyber security expert, published a report that concluded that Russia’s ForeignMilitary Intelligence Agency (GRU) and Federal Security Service (FSB) probably helpedcoordinate the attacks, not independent patriotic hackers. But to date, this was neitherproven nor admitted.

14 Thomas Rid

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

at the National Aeronautics and Space Administration (NASA), at theEnergy Department, at universities as well as research laboratories thathad started in March 1998. Maps of military installations were copied,hardware designs, and other sensitive information. The incursions wenton for almost two years. The Pentagon was able to trace back theattack to what was then called a mainframe computer in Russia. Butagain: no violence, unclear goals, no political attribution.

Yet the empirical trend is obvious: over the past dozen years, cyberattacks have been steadily on the rise. The frequency of major securitybreaches against governmental and corporate targets has been goingup. The volume of attacks is increasing. So is the participation inattacks, ranging from criminals to activists to the NSA. The range ofaggressive behavior online is widening. At the same time thesophistication of some attacks has reached new heights. In this respectStuxnet has indeed been a game-changing event. Despite these trendsthe ‘war’ in ‘cyber war’ has more in common with the ‘war’ on obesitythan with the World War II – it has more metaphoric than descriptivevalue. It is high time to go back to classic terminology and understandcyber offences for what they really are.

Aggression, whether it involves computers or not, may be criminal orpolitical in nature. It is useful to group offences along a spectrum,stretching from ordinary crime all the way to conventional war. Then afew distinctive features become visible: crime is mostly apolitical, war isalways political; criminals conceal their identity, uniformed soldiersdisplay their identity openly. Political violence (or ‘political crime’ incriminology and the theory of law) occupies the muddled middle of thisspectrum, being neither ordinary crime nor ordinary war. For reasonsof simplicity, this analysis will focus on three types of offenses on thatmiddle stretch of the spectrum: subversion, espionage, and sabotage.All three activities may involve states as well as private actors. Cyberoffenses tend to be skewed towards the criminal end of the spectrum.So far there is no known act of cyber war, when war is properlydefined. That of course does not mean that there are no political cyberoffenses. But all known political cyber offenses, criminal or not, areneither common crime nor common war. Their purpose is subverting,spying, or sabotaging.

In all three cases, Clausewitz’s three criteria are jumbled. Theseactivities need not be violent to be effective. They need not beinstrumental to work, as subversion may often be an expression ofcollective passion and espionage may be an outcome of opportunityrather than strategy. And finally: aggressors engaging in subversion,espionage or sabotage do act politically; but in sharp contrast towarfare, they are likely to have a permanent or at least temporaryinterest in avoiding attribution. This is one of the main reasons why

Cyber War Will Not Take Place 15

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

political crime, more than acts of war, has thrived in the cyberdomain, where non-attribution may be easier to achieve thanwaterproof attribution. It goes without saying that subversion,espionage and sabotage – ‘cybered’ or not – may accompanymilitary operations. Both sides may use it, and indeed have done sosince time immemorial. But the advent of digital networks had anuneven effect.

Sabotage

Sabotage, first, is a deliberate attempt to weaken or destroy an economicor military system. All sabotage is predominantly technical in nature, butof course may use social enablers. The word allegedly dates from a Frenchrailway strike in 1910. Workers removed and damaged the sabots,wooden shoes that held the rails in their bed. The means used in sabotagemust not always lead to physical destruction and overt violence, but theycan. If violence is used, things are the prime targets, not humans, even ifthe ultimate objective may be to change the cost-benefit calculus ofdecisionmakers. Sabotage tends to be tactical in nature and will onlyrarely have operational or even strategic effects. The higher the technicaldevelopment and the dependency of a society and its government andmilitary, the higher is the potential for sabotage, especially cyber-enabledsabotage. Sabotage on its own may not be an act of war because thesaboteurs may deliberately avoid open violence, they may avoid politicalattribution, but they always aim to be instrumental. Both avoidingexcessive violence and avoiding identification may serve the ultimate goalof sabotage: impairing a technical system. Two high-profile sabotageoperations, both Israeli, are instructive.

Some examples of successful use of cyber sabotage are publiclyknown. Such sabotage may happen in conjunction with conventionalmilitary force or stand-alone. One of the most spectacular examples fora combined strike is Operation ‘Orchard’, Israel’s bombing raid on anuclear reactor site at Dayr ez-Zor in northern Syria on 6 September2007. It appears that the Israeli Air Force prepared for the main attackby taking out a single Syrian radar site at Tall al-Abuad close to theTurkish border. The Israeli attackers combined electronic warfare withprecision strikes. The Syrian electrical grid was not affected. Syria’s air-defense system, one of the most capable in the world, went blind andfailed to detect an entire Israeli squadron of F-15I and F-16I warplanesentering Syrian airspace, raiding the site, and leaving again.31 Before-and-after satellite pictures of the targeted site on the Euphrates were

31David A. Fulghum, Robert Wall and Amy Butler, ‘Israel Shows Electronic Prowess’,Aviation Week & Space Technology 168, 25 Nov. 2007; David A. Fulghum, Robert

16 Thomas Rid

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

made public by the US government. They show that the nascent nuclearfacility with its suspected reactor building, which was located about145 kilometers from Iraq, had been reduced to rubble. The cyber workof the operation was probably done by Unit 8200, the largest unit in theIsrael Defense Forces (IDF) and Israel’s equivalent to the NSA.32 Thetechnicians may have used a so-called ‘kill switch’ embedded in the airdefense system by a contractor to render it useless.33 The details of theoperation remain highly classified. But one thing can be highlightedalready: the cyber element of Operation ‘Orchard’ probably wascritical for the success of the Israeli raid and although the cyber attackdid not physically destroy anything on its own right, it should be seenas an integrated part of a larger military operation. Although the cyberattack on its own – without the military component – would not haveconstituted an act of war, it was nevertheless an enabler for a successfulmilitary attack. That was different in another, even more spectacularrecent incident.

Stuxnet was by far the most sophisticated known cyber attack todate. It was a highly directed attack against specific targets, most likelyIran’s nuclear enrichment program at Natanz.34 The worm was an actof cyber-enabled stand-alone sabotage not connected to a conventionalmilitary operation. Stuxnet was what the security industry calls anAdvanced Persistent Threat (APT). Operation ‘Myrtus,’ as Stuxnet mayhave been called by its creators, was a multi-year campaign. Theprogram started probably in late 2007 or early 2008.35 It is likely thatthe main attack had been executed between June 2009 and June 2010,when Information Technology (IT) security companies first publiclymentioned the worm. Stuxnet recorded a timestamp and other systeminformation. Therefore engineers were able, in months of hard work, tooutline the worm’s infection history as well as to reverse-engineer thethreat and to understand its purpose. The following paragraphs areintended to provide a glimpse into Stuxnet’s complexity andsophistication.

The sabotage software was specifically written for Industrial ControlSystems. These control systems are box-shaped stacks of hardwarewithout keyboards or screens. A so-called Programmable Logic

Wall and Amy Butler, ‘Cyber-Combat’s First Shot’, Aviation Week & SpaceTechnology 167, 16 Nov. 2007, 28–31.32John Markoff, ‘A silent attack, but not a subtle one’, New York Times, 26 Sept.2010.33Sally Adee, ‘The Hunt for the Kill Switch’, IEEE Spectrum, May 2008.34Gross, ‘A Declaration of Cyber-War’.35Ralph Langner, ‘What Stuxnet is All About’, The Last Line of Cyber Defense, 10 Jan.2011.

Cyber War Will Not Take Place 17

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

Controller (PLC) runs the control system. Therefore an industrialplant’s operators have to program the controllers by temporarilyhooking them up to a laptop, most likely a so-called Field PG, a specialindustrial notebook sold by Siemens. These Field PGs, unlike thecontrol system and the controller itself, run Microsoft Windows andwere most likely not connected to the Internet and not even to aninternal network.36

The first complication for the attackers was therefore a feasibleinfection strategy. Stuxnet had to be introduced into the targetenvironment and spread there in order to reach its precise target. Thattarget was protected by a so-called ‘air gap’, by not being connected tothe insecure Internet and even internal networks. Therefore theinfection most likely happened through a removable drive, such as aUSB stick. The attack vehicle was coded in a way that allowed itshandlers to connect to the worm through a command-and-controlserver. But because the final target was not networked, ‘all thefunctionality required to sabotage a system was embedded directly inthe Stuxnet executable’, Symantec observed in the updated W32.Stux-net Dossier, an authoritative analysis of the worm’s code.37 Theworm’s injection mechanism had to be aggressive. The number ofcollateral and inconsequential infections was initially large: by the endof 2010, the worm had infected approximately 100,000 hosts in dozensof countries, 60 percent of which were in Iran – the machines thatultimately spread the virus on its two final targets were among them.

A second complexity was Stuxnet’s ‘sabotage strategy’, in Symantec’swords. The work specifically targeted two models of Siemens logiccontrollers, 6ES7-315-2 and 6ES7-417, so-called code 315 and code417. The likely targets were the K-1000–60/3000–3 steam turbine inthe Bushehr nuclear power plant for code 417 and the gas centrifuges inNatanz for code 315.38 If the worm was able to connect to suchcontrollers, it proceeded checking their configurations to identify thetarget. If Stuxnet did not find the right configuration, it did nothing. Butif it found what it was looking for, the worm started a sequence toinject one of three payloads. These payloads were coded to change theoutput frequencies of specific drivers that run motors. Stuxnet thus wasset up to cause industrial processes to malfunction, physically damaging

36Nicolas Falliere, Liam O Murchu and Eric Chien, W32.Stuxnet Dossier. Version 1.4(Symantec 2011), 3.37Ibid., 3.38This is Ralph Langner’s target theory. The question if Stuxnet’s code 417 ‘warhead’was disabled or not is controversial among engineers. See ibid., 45 as well as RalphLangner, ‘Matching Langner’s Stuxnet Analysis and Symantec’s Dossier Update’, TheLast Line of Cyber Defense, 21 Feb. 2011.

18 Thomas Rid

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

rotors, turbines, and centrifuges. The attack’s goal was damaging thecentrifuges slowly, thus tricking the plant’s operators. Their rationaleprobably was that damaging hardware would delay Iran’s enrichmentprogram for a significant period of time, as components cannot just beeasily bought on open markets.

This method relates to a third complexity, the worm’s stealthiness.Before Stuxnet started sabotaging processes, it intercepted input valuesfrom sensors, for instance the state of a valve or operatingtemperatures, recorded these data, and then provided the legitimatecontroller code with pre-recorded fake input signals, while the actualprocesses in the hidden background were manipulated. The objectivewas not just fooling operators in a control room, but circumventing andcompromising digital safety systems. Stuxnet also hid the modificationsit made to the controller code. And even before launching a payload,Stuxnet operated stealthily: it had mechanisms to evade antivirussoftware, it is able to hide copies of its files on removable drives, hide itsown program blocks when an enumeration is enforced on a controller,and erased itself from machines that do not lead to the target.

The resources and investment that went into Stuxnet could only bemustered by a ‘cyber superpower’, argued Ralph Langner, a Germancontrol system security consultant who first extracted and decompiledthe attack code.39 A possibility is that Israel engineered the threat withAmerican support. It starts with intelligence: each single control systemis a unique configuration, so the attackers needed superb informationabout the specific system’s schematics. ‘They probably even knew theshoe size of the operators’, joked Langner. The designs could have beenstolen or even extracted by an earlier version of Stuxnet. Anotheraspect is the threat’s design itself: the code was so specific that it islikely that the attackers had to set up a mirrored environment to refinetheir attack vehicle, which could have included a mock enrichmentfacility.40 Stuxnet also had network infection routines, it was equippedwith peer-to-peer update mechanisms that seem to have been capablecommunicating even with infected equipment without Internetconnection, and injected code into industrial control systems whilehiding the code from the operator. Programming such a complex agentrequired time, resources, and an entire team of core developers as wellas quality assurance and management.41 The threat also combinedexpensive and hard-to-get items: four zero-day exploits, two stolen

39Ralph Langner, ‘Cracking Stuxnet’, TED Talk, March 2011.40William J. Broad, John Markoff and David E. Sanger, ‘Israeli test on worm calledcrucial in Iran nuclear delay’, New York Times, 16 Jan. 2011, A1.41Nicolas Falliere, Liam O Murchu and Eric Chien, W32.Stuxnet Dossier. Version 1.4(Symantec 2011), 3.

Cyber War Will Not Take Place 19

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

digital certificates, a Windows rootkit (a software granting hiddenprivileged access), and even the first-ever Programmable LogicController rootkit.42 For the time being it remains unclear howsuccessful the Stuxnet attack against Iran’s nuclear program actuallywas. But it is clear that the operation has taken computer sabotage toan entirely new level.

Espionage

The second offensive activity that is neither crime nor war is espionage.Espionage is an attempt to penetrate an adversarial system for purposesof extracting sensitive or protected information. It may be either socialor technical in nature. That division of labour is old. It is known ashuman intelligence and signals intelligence in the trade of secretservices. The level of technical sophistication required for espionagemay be high, but the requirements are less demanding than for complexsabotage operations. This is because espionage is not directlyinstrumental; its main purpose is not achieving a goal but to gatherthe information that may be used to design more concrete instrumentsor policies. A highly digitized environment has vastly increased thenumber of actors in the espionage business. Professionally andexpensively trained agents working for governments (or largecompanies) have new competition from hackers and private indivi-duals, sometimes acting on their own initiative yet potentiallyproviding information for a larger cause. The most widespread use ofstate-sponsored cyber capabilities is for purposes of espionage.Empirically, the vast majority of all political cyber security incidentshave been cases of espionage. As the attackers’ identity often remainsdubious, it is the victim that chooses the colorful names of theseoperations.

An early example, ‘Moonlight Maze’, has already been mentioned.Another example, ‘Titan Rain’, is the US government codename for aseries of attacks on military and governmental computer systems in2003, an attack that continued persistently for years. Chinese hackershad probably gained access to hundreds of firewalled networks at thePentagon, the State Department, Homeland Security, as well as defensecontractors such as Lockheed Martin. It remains unclear if Chinesesecurity agencies were behind the intrusion or if an intruder merelywanted to mask his true identity by using China-based computers. OnePentagon source estimated that Chinese intruders had downloaded ‘10

42See Gary McGraw’s discussion with Ralph Langner on Cigital’s Silver Bullet, 25 Feb.2011, 5www.cigital.com/silverbullet/show-059/4.

20 Thomas Rid

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

to 20 terabytes of data’ from non-classified Department of Defensenetworks.43 Classified networks were probably not compromised.44

In November 2008, the US military witnessed the most significantbreach of its computers to date. An allegedly Russian piece of spywarewas inserted through a flash drive into a laptop at a base in the MiddleEast, ‘placed there by a foreign intelligence agency’, according to thePentagon’s number two.45 It then started scanning the Internet for dot-mil domain addresses. This way the malware got access to thePentagon’s unclassified network, the Non-classified Internet ProtocolRouter Network (NIPRNET). The Defense Department’s global secureintranet, the Secret Internet Protocol Router Network (SIPRNET),designed to transmit confidential and secret-level information, isprotected by a so-called air gap or air wall, meaning that the securenetwork is physically, electrically, and electromagnetically separatedfrom insecure networks. So once the piece of malware was on a harddrive in the NIPRNET, it began copying itself onto removable thumbdrives. The hope was that an unknowing user would carry it over theair gap into SIPRNET, a problem known as the ‘sneakernet’ effectamong the Pentagon’s security experts.46 That indeed happened and avirtual beachhead was established. But it remains unclear if thesoftware was able to extricate information from the classified network,let alone what and how much.

In March 2009, Ron Deibert and his team at the University ofToronto publicized their discovery of what they called GhostNet, asophisticated international spying operation, probably of Chineseorigin. The network had infected 1,295 host computers of ministriesof foreign affairs, embassies, international organizations, news media,and non-governmental organizations in 103 countries. The malwarewas able to take full control of infected computers, including searchingand downloading documents, logging keystrokes, and even covertlyactivating personal computer cameras and microphones and capturingthe recorded information.47

Only rarely do governments disclose information on successful cyberattacks on their systems. If they do, as some high-profile cases in the

43Ellen Nakashima and Brian Krebs, ‘Contractor blamed in DHS data breaches’,Washington Post, 24 Sept. 2007, A1.44Bradley Graham, ‘Hackers attack via Chinese web sites’, Washington Post, 25 Aug.2005.45William J. Lynn, ‘Defending a New Domain’, Foreign Affairs 89/5 (2010), 97. Clarkesays the spyware was of Russian origin, see next footnote.46Clarke and Knake, Cyber War, 171.47Ron Deibert, and Rafal Rohozinsky, Tracking Ghostnet (Toronto: Munk Centre forInternational Studies 2009), 47.

Cyber War Will Not Take Place 21

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

Pentagon illustrate, the amount of information released is not verydeep. And not always are IT security firms or independent researchersable to analyze and illuminate the threat, like in the case of Stuxnet orGhostnet. Therefore numerous examples exist where public informa-tion is scarce. In December 2007, the head of British internalintelligence, MI5, informed the executives of 300 companies thatthey were under attack by Chinese organizations, top banks amongthem.48 Between 2007 and 2009, terabytes of data on the developmentof the F-35 were stolen, including specifics of its electronic warfaresystems, the greatest advance of America’s new fourth-generationfighter.49 In January 2011, the British Foreign Office’s IT system hadcome under attack from a ‘hostile state intelligence agency’.50 Manymore past and recent examples could be added to this list, and it willcertainly grow in the future. Despite heavy investments in defenses,cyber espionage is a booming activity, both against private and publicentities.

Subversion

The remaining third offensive activity is subversion. Subversion is thedeliberate attempt to undermine the authority, the integrity, and theconstitution of an established authority or order. The ultimate goal ofsubversion may be overthrowing a society’s established government.But subversive activity may also have more limited causes, such asundermining an organization’s or even a person’s authority. The modusoperandi of subversive activity is eroding social bonds, beliefs, and trustin the state and other collective entities. The means used in subversionmay not always include overt violence. One common tool of subversionis propaganda, for instance pamphlets, literature, and film. The vehicleof subversion is always influencing the loyalties of individuals anduncommitted bystanders. Human minds are the targets, not machines.This also applies when force comes into play. It is important to notethat subversion is a broader concept than insurgency: subversion, incontrast to insurgency, does not require violence and it does not requirethe overthrow of an established order to be successful.

To understand subversion’s potentially limited instrumentality,something rather un-technical has to be considered: emotional causes.The present uses of the concept of ‘cyber war’ tend to be inept and

48Rhys Blakely, ‘MI5 alert on China’s cyberspace spy threat’, The Times, 1 Dec.2007, 1.49Clarke and Knake, Cyber War, 232–4.50Charles Arthur, ‘William Hague reveals hacker attack on Foreign Office in call forcyber rules’, Guardian, 6 Feb. 2011.

22 Thomas Rid

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

imprecise. But other classic concepts of the study of war retain theirrelevance and pertinence for the study of cyber offenses. Clausewitz,and many other strategic thinkers, consistently highlighted the role ofpassions and emotions in conflict, be it regular or irregular conflict.‘The intensity of action’, Clausewitz observed, ‘is a function of themotive’s strength that is driving the action.’ That motive may be arational calculation or it may be emotional indignation (Gemutserre-gung), he added. ‘If power is meant to be great, the latter can hardly bemissing.’51 Subversion, like insurgency, is driven by strong motives thatmobilize supporters, volunteers, and activists – and, if violence comesinto play, fighters and insurgents.

Another revered military thinker, David Galula, described thedriving force behind an insurgent group as the cause. An insurgency’streasure would be a ‘monopoly of a dynamic cause’, wrote the Frenchcounterinsurgency expert in the 1960s.52 But 50 years later, the demiseof grand ideologies53 and the rise of highly networked movements havealtered the logic of dynamic causes. Not grand narratives, but highlyspecific issues are likely to mobilize a critical mass of enraged activists,if only temporarily. Non-attribution has lowered the costs and risks ofactivism – but it has also lowered the costs and risks of stoppingactivism again. Consequently the potential for subversion is changing:entering into subversive activity has become easier, but takingsubversion a critical step further into the realm of actual politics, tosuccessful insurgency and ultimately to governance, has becomeharder.54 Three brief examples will illustrate this point.55

A highly insightful example for non-violent subversion is Anon-ymous, a loose and leaderless movement of activists. Supportersconceal their identities and unite around a self-defined cause, oftenpromoting free speech and agitating against censorship. The move-ment’s motto is frequently posted at the end of announcements: We are

51‘Die Energie des Handels druckt die Starke des Motivs aus, wodurch das Handelhervorgerufen wird, das Motiv mag nun in einer Verstandesuberzeugung oder einerGemutserregung seinen Grund haben. Die letztere darf aber schwerlich fehlen, wo sicheine große Kraft zeigen soll.’ Clausewitz, Vom Kriege, 69.52David Galula, Counterinsurgency Warfare: Theory and Practice (New York: Praeger1964), 71.53For a historical discussion of ideology’s role in guerrilla war, see Walter Laqueur,Guerrilla. A Historical and Critical Study (Boston: Little, Brown 1976).54Thomas Rid and Marc Hecker, ‘The Terror Fringe’, Policy Review 158 (Dec./Jan.2010), 3–19.55For a more exhaustive list of politically motivated cyber-attacks, see Robin Gandhi,Anup Sharma, William Mahoney, William Sousan, Qiuming Zhu and Phillip Laplante,‘Dimensions of Cyber Attacks’, IEEE Technology and Society Magazine (Spring 2011),28–38.

Cyber War Will Not Take Place 23

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

Anonymous. We are Legion. We do not forgive. We do not forget.Expect us. The actions undertaken by Anonymous activists may have apolitical agenda or they may just be a crude form of entertainment.56

Volunteers may be ‘doing it for the lulz’, as a phrase from internetculture has it. ‘Lulz’ is a concept related to the German idea ofSchadenfreude, derived from a plural of ‘lol’, which stands for laugh-out-loud.57 An example of the latter was Anonymous’ ‘YouTube pornday’, a concerted prankster raid on 20 May 2009 where hundreds ofpornographic videos were defiantly uploaded to the popular video-sharing site, allegedly to retaliate against the removal of music videos.58

The movement is best known for two high-profile politicaloperations, although it has undertaken many more. Its first bigcampaign, known as ‘Project Chanology’, targeted the Church ofScientology and was launched on 21 January 2008 with a YouTubevideo that has since been viewed more than four million times.59 WhenScientology tried to censor the video, Anonymous activists reacted withDDoS attacks on Scientology’s website as well as several waves ofdemonstrations in front of the sect’s main centers worldwide, oftenwearing Guy Fawkes masks, adopted from the film V for Vendetta. Theglobal turnout on some days was as high as 8,000 protesters. Thecampaign was widely covered in the international press.

A second example is Anonymous’ perhaps most striking operation, adevastating assault on HBGary Federal, a technology securitycompany. HBGary’s clients included the US government and companieslike McAfee. The firm with the tag-line detecting tomorrow’s malwaretoday had analyzed GhostNet and Aurora, two of the mostsophisticated known threats. In early February 2011, Aaron Barr, thenits chief executive officer (CEO), wanted more public visibility andannounced that his company had infiltrated Anonymous and plannedto disclose details soon. In reaction, Anonymous hackers infiltratedHBGary’s servers, erased data, defaced its website with a letterridiculing the firm with a download link to a leak of more than40,000 of its emails to The Pirate Bay, took down the company’s phone

56A good analysis of Anonymous is Adrian Crenshaw, ‘Crude, Inconsistent Threat:Understanding Anonymous’, Irongeek.com, 28 March 2011, 5http://bitly.com/e87PeA4.57An explanation and a good introduction into the sense of humor of that subculture isat 5http://ohinternet.com/Lulz4.58In a video titled Jonas Brother Live On Stage, a viewer commented: ‘I’m 12 years oldand what is this?’ The phrase, quoted in a BBC story, went on to become an Internetmeme. Siobhan Courtney, ‘Pornographic videos flood YouTube’, BBC News, 21 May2009.595www.youtube.com/watch?v¼JCbKv9yiLiQ4.

24 Thomas Rid

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

system, usurped the CEO’s twitter stream, posted his social securitynumber, and clogged up fax machines.60 Anonymous activists had useda number of methods, including SQL injection, a code injectiontechnique that exploits faulty database requests. ‘You brought thisupon yourself. You’ve tried to bite the Anonymous hand, and now theAnonymous hand is bitch-slapping you in the face’, said the letterposted on the firm’s website.61 The attack badly pummeled the securitycompany’s reputation.

The ‘Anon’ movement and several assorted splinter-groups, suchas LulzSec or AntiSec, have subsequently gained notoriety andattracted significant media attention. The best-known attackssuccessfully targeted the FBI, the CIA, the Navy as well as Americangovernment contractors such as Booz Allen Hamilton, IRC Federal,ManTech, and even the British tabloid The Sun. As a result, severalmostly young hackers were arrested worldwide. The sophistication oftheir attacks, it should be noted, remains limited as the attackerswere mainly going after ‘low hanging fruit’.62 The specific causesthat motivated the activists were as varied and fickle as the attacksthemselves.

Other examples of subversion were the politically motivated DDoSattacks in Estonia and Georgia. On the one hand the target of theseattacks had a social dimension: cutting the information flow betweengovernments, the media, and its citizens, thus undermining citizens’trust in their leaders’ authority and competence. On the other hand theway these attacks were executed had a stronger social dimension: manyof the predominantly Russian patriotic hackers, ‘hacktivists’, or ‘scriptkiddies’ who voluntarily downloaded a relatively primitive attack codedid so for emotional reasons, because they were outraged by what theysaw as anti-Russian policies, perhaps because they wanted to impresspeers. Pulling off such an attack is relatively simple, requiring ‘just a lotof people getting together and running the same tools on their homecomputers,’ wrote Jose Nazario of Arbor Networks about the Estoniaincident.63 Steven Adair of Shadow Server concluded, ‘The average user

60Peter Bright, ‘Anonymous speaks: the inside story of the HBGary hack’, ArsTechnica, 15 Feb. 2011.61Anonymous, ‘This Domain Has Been Seized . . .’, archived at 5http://bitly.com/hWvZXs4.62See ‘AnonyLulzyAntiSec, Just What Have You Done for Us Lately?,’ Krypt3ia, 22July 2011, 5http://bitly.com/qQJwiu463Charles Clover, ‘Kremlin-backed group behind Estonia cyber blitz’, Financial Times,11 March 2009. See also Jose Nazario, ‘Politically Motivated Denial of ServiceAttacks’, in Christian Czosseck and Kenneth Geers (eds), The Virtual Battlefield,(Amsterdam; Washington, DC: IOS Press 2009), 163–81.

Cyber War Will Not Take Place 25

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

is now getting involved and helping to attack Georgian websites.’He dubbed this the ‘grass roots effect’ of cyber attacks.64

Another such example is the tussle between Israeli and Arab activiststhat played out during Operation ‘Cast Lead’ in January 2009. ManyIsraeli websites, often from small companies, were defaced during theshort war. One simple pro-Palestinian attack tool was named afterMohammad al-Durra, a Palestinian child allegedly killed by Israelisoldiers in 2000. One notable pro-Israeli initiative was a voluntarybotnet, ‘Help Israel Win’, which allowed individuals to voluntarilydelegate control of their computers to the botnet server after down-loading the ‘Patriot DDoS tool’, which ran in a personal computer’sbackground while autonomously updating the client with addresses totarget. The Israeli voluntary botnet was organized, according to thewebsite’s description, by ‘a group of students who are tired of sittingaround doing nothing while the citizens of Sderot and the cities aroundthe Gaza Strip are suffering.’65 In Estonia, Georgia, and Israel, riots anddemonstrations were practically extended into cyberspace, even if thevolunteers did not always act without the assistance of more skilledindividuals.66 In such situations, participation and (relatively) easyhandling of the technology that enables participation maybe be evenmore significant than the sophistication of these technologies. Theglobal jihad took this dynamic a step further.

The Internet, social media and the spread of mobile phones withvideo cameras had a profound effect on subversion, includingsubversive violence, insurgency, and even terrorism. Political violencein the twenty-first century, especially the global jihadi movement, hasbecome an Internet-enhanced phenomenon. For jihadis, cyberspace isneither just target nor weapon, but an essential platform. That platformis used to reach out to external audiences both hostile and friendly. Butmore importantly it is a vehicle for internal debate and cohesion. Onextremist forums, social dynamics and ideological debates amongacolytes take center stage, not achieving technical prowess. Know-howof bomb-making techniques, complete with details and educationalvideos, are also available online. But virtual training camps cannotreplace brick-and-mortar training camps, and when such substituteswere tried, the technological sophistication of attacks has dropped.Online instructional material is less important for the terrorist

64Steven Adair, ‘Georgian Attacks: Remember Estonia?’, Shadow Server, 13 Aug.2008.65See also Jeffrey Carr, ‘Project Grey Goose Phase II Report’, GreyLogic, 20 March2009, Chapter 2.66Rain Ottis, ‘From Pitchforks to Laptops: Volunteers in Cyber Conflicts’, Conferenceon Cyber Conflict Proceedings (2010).

26 Thomas Rid

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

movement’s continuity than the ideological discussion of the variouscauses of resistance under the banner of jihad. Jihadism’s web presence,in short, keeps alive a strong cause at the fringe with a persistent andstable following, albeit a small one.

An instructive counter-example is the Arab Spring of 2011. Initiallythe Arab youth movements that threatened the established order inTunisia, Egypt, Libya, Syria, Yemen and elsewhere also had a webpresence on social media platforms – but combined with a strong causein the mainstream of their societies with a fast-growing following. Oncethe initial spark started a larger political movement, street protestsgained a revolutionary dynamic that could barely be stopped, neitherby shutting down the web nor by the state’s security forces.

Conclusion

The levels of technical and social sophistication required for sabotageand subversion are inversely related. At closer inspection the requiredtechnical prowess increases from subversion, to espionage, to sabotage.The inverse applies to the required social mobilization: the mobilizationof popular support is essential for subversion, perhaps helpful inespionage, and largely irrelevant for sabotage. Successful sabotage isprimarily a function of the quality of the attacker’s technicalsophistication and the available intelligence; successful subversion isprimarily a function of the quantity of supporters mobilized by thestrength of political ideas and social causes. This analysis leads to threeconclusions that stand in contradiction to the prophecies of cyber war.

The first conclusion is about subversion. In the past and present, nothigh-tech but low-tech has been more likely to lead to an escalation ofviolence, instability, and ultimately even war. In the twenty-firstcentury, the one type of political offence with the greatest potential tounleash instability and violence may not be technologically highlysophisticated sabotage, but technically rather primitive subversion. Yetthe Internet facilitates an unexpected effect: specific social and politicalcauses may persist in subcultures and niche groups, either temporarilyor over an extended time, either violently or non-violently – and theymay never cease attracting followers yet never go mainstream. Thesemovements may be cause-driven to a significant extent, and lessdependent on leaders, organization, and mass support than classicalinsurgent groups. Weak causes become stronger in the sense that theygarner enough support to persist over an extended period of time,constantly maintaining a self-sufficient, self-recruiting, but also self-limiting number of supporters and activists.

The second finding concerns more sophisticated cyber offenses.Conventional wisdom holds that cyberspace turns the offense/defense

Cyber War Will Not Take Place 27

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

balance on its head by making attacking easier and more cost-effectivewhile making defending harder and more resource-intense. Cyberattack, the standard argument goes, increased the attacker’s opportu-nities and the amount of damage to be done while decreasing the risks(sending special code is easier than sending special forces).67 Henceexpect more sabotage and more saboteurs. This may have it exactlywrong: quality matters more than quantity. The number of actors thatare able to pull off an offensive and complex Stuxnet-class sabotageoperation is likely to be smaller than commonly assumed. Cybersabotage can be more demanding than the brick-and-mortar kind, evenif the required resources are dwarfed by the price of complexconventional weapon systems.68 Vulnerabilities have to be identifiedbefore they can be exploited; complex industrial systems need to beunderstood first; and a sophisticated attack vehicle may be so fine-tunedto one specific target configuration that a generic use may be difficult orimpossible (consider a highly sophisticated rocket that can only be firedagainst one single target and at nothing else, even if some of itscomponents may be reused).69 What follows may be a new trend: thelevel of sophistication required to find an opportunity and to stage asuccessful cyber sabotage operation is rising. The better the protectiveand defensive setup of complex systems, the more sophistication, themore resources, the more skills, the more specificity in design, and themore organization is required from the attacker. Only very fewsophisticated strategic actors may be able to pull off top-rangecomputer sabotage operations.

The third conclusion is about defenses. The world’s most sophisti-cated cyber forces have an interest in openness if they want to retaintheir edge, especially on the defensive. The precise offensive capabilitiesof the United States but also of other countries like Israel, France,China or North Korea are highly classified. There is much reason toassume that many spying operations are unknown to the victim. Evensabotage through logic bombs may have been already prepared withoutthe knowledge of the defender. There may even be an incentive forgovernments as well as large firms to hide the true extent of cyber

67See for instance, Martin Libicki, Cyberdeterrence and Cyberwar (Santa Monica, CA:RAND Corporation 2009), 32–3.68Ralph Langner, ‘A declaration of bankruptcy for US critical infrastructureprotection’, The Last Line of Cyber Defense, 3 June 2011.69See Roberta Stempfley and Sean McGurk, Testimony, US House of Representatives,Committee on Energy and Commerce, 26 July 2011, 7, ‘[S]ophisticated malware of thistype potentially has the ability to gain access to, steal detailed proprietary informationfrom, and manipulate the systems that operate mission-critical processes within thenation’s infrastructure.’

28 Thomas Rid

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

attacks, if they come to their attention, lest they would expose theirvulnerabilities and damage their reputation as a place for secureinvestment. But cyber defenses of the most sophisticated countriesshould be more transparently presented. Only openness and oversightcan expose and reduce weaknesses in organization, priorities,technology, and vision.

This article argued that the world never experienced an act of cyberwar, which would have to be violent, instrumental, and – mostimportantly – politically attributed. No attack on record meets all ofthese criteria. Instead, the last decade saw increasingly sophisticatedacts of network-enabled sabotage, espionage, and subversion. Theseactivities can of course support military operations, and they have beenused for that purpose for centuries. But the question is if a trend isleading to inevitable acts of stand-alone cyber war, with code as themain weapon, not as an auxiliary tool that is nice to have.

In the 1950s and 1960s, when Giraudoux was translated intoEnglish, the world faced another problem that many thought wasinevitable: nuclear exchange. Herman Kahn, Bill Kaufmann, and AlbertWohlstetter were told that nuclear war could not be discussed publicly,as Richard Clarke pointed out in his alarmist book, Cyber War. Herightly concluded that as with nuclear security, there should be morepublic discussion on cyber security because so much of the work hasbeen stamped secret. But in many ways the comparison betweennuclear war and cyber conflict, although often made, is misplaced andproblematic. This should be obvious when the Pearl Harborcomparison or the Hiroshima-analogy is given a second thought:unlike the nuclear theorists in the 1950s, cyber war theorists of the2010s have never experienced the actual use of a deadly cyber weapon,let alone a devastating one like Little Boy. There was no and there is noPearl Harbor of cyber war. Unless significantly more evidence andsignificantly more detail are presented publicly by more than oneagency, we have to conclude that there will not be a Pearl Harbor ofcyber war in the future either.70 Then the heading of this article shouldnot be understood with Giraudoux’s sense of fine irony, but literally.Needless to say, Cassandra could still have the last word.

70In May 2011, the Obama White House stressed deterrence in cyberspace and madeclear that ‘certain hostile acts conducted through cyberspace’ could trigger a militaryresponse by America (in using ‘all necessary means’, the document explicitly includedmilitary means). But the White House did not make clear what certain hostile acts (p.14) or ‘certain aggressive acts in cyberspace’ (p. 10) actually mean, Barack Obama,International Strategy for Cyberspace (Washington, DC: White House, May 2011).

Cyber War Will Not Take Place 29

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

Acknowledgements

The author would like to thank David Betz, Peter McBurney, TimStevens and an anonymous reviewer for their helpful comments and theInstitute for Advanced Study at Konstanz University for their support.

Notes on Contributor

Thomas Rid is a Reader in War Studies at King’s College London and anon-resident fellow at the Center for Transatlantic Relations at theSchool for Advanced International Studies (SAIS), Johns HopkinsUniversity, Washington, DC. In 2009/2010, Rid was a visiting scholarat the Hebrew University and the Shalem Center in Jerusalem. From2006 to 2009 he worked at the Woodrow Wilson Center and theRAND Corporation in Washington, and at the Institut francais desrelations internationales in Paris. Rid published three books, Under-standing Counterinsurgency (Routledge 2010, co-edited with TomKeaney), War 2.0 (Praeger 2009, with Marc Hecker) and War andMedia Operations (Routledge 2007). More at http://thomasrid.org

Bibliography

Adair, Steven, ‘Georgian Attacks: Remember Estonia?’, Shadow Server, 13 Aug. 2008.

Adee, Sally, ‘The Hunt for the Kill Switch’, IEEE Spectrum, May 2008.Arquilla, John and David Ronfeldt, ‘Cyberwar is Coming!’, Comparative Strategy 12/2 (1993),

141–65.

Arthur, Charles, ‘William Hague reveals hacker attack on Foreign Office in call for cyber rules’,Guardian, 6 Feb. 2011.

Blakely, Rhys, ‘MI5 alert on China’s cyberspace spy threat’, The Times, 1 Dec. 2007.

Bright, Peter, ‘Anonymous speaks: the inside story of the HBGary hack’, Ars Technica, 15 Feb.

2011.Broad, William J., John Markoff and David E. Sanger, ‘Israeli test on worm called crucial in Iran

nuclear delay’, New York Times, 16 Jan. 2011, A1.

Carr, Jeffrey, ‘Project Grey Goose Phase II Report’, GreyLogic, 20 March 2009, Chapter 2.

Clarke, Richard A. and Robert K. Knake, Cyber War (New York: Ecco 2010).Clausewitz, Carl von, Vom Kriege (Berlin: Ullstein 1832, 1980).

Clover, Charles, ‘Kremlin-backed group behind Estonia cyber blitz’, Financial Times, 11 March

2009.Courtney, Siobhan, ‘Pornographic videos flood YouTube’, BBC News, 21 May 2009.

Crenshaw, Adrian, ‘Crude, Inconsistent Threat: Understanding Anonymous’, Irongeek.com, 28

March 2011, 5http://bitly.com/e87PeA4.

Daniel, Lisa, ‘Panetta: Intelligence Community Needs to Predict Uprisings’, American Forces PressService, 11 Feb. 2011.

Deibert, Ron and Rafal Rohozinsky, Tracking Ghostnet (Toronto: Munk Centre for International

Studies 2009).

Dinstein, Yoram, ‘Computer Network Attacks and Self-Defense’, International Law Studies 76(2002), 99–120.

30 Thomas Rid

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

Espiner, Tim, ‘Estonia’s cyberattacks: lessons learned, a year on’, ZDNet UK, 1 May 2008.

Evron, Gadi, ‘Battling Botnets and Online Mobs’, Science & Technology (Winter/Spring 2008),

121–8.Evron, Gadi, ‘Authoritatively, Who was Behind the Estonian Attacks?’ Darkreading, 17 March

2009.

Falliere, Nicolas, Liam O. Murchu and Eric Chien, W32.Stuxnet Dossier. Version 1.4 (Symantec2011).

Fulghum, David A., Robert Wall and Amy Butler, ‘Cyber-Combat’s First Shot’, Aviation Week &Space Technology 167, 16 Nov. 2007, 28–31.

Fulghum, David A., Robert Wall and Amy Butler, ‘Israel Shows Electronic Prowess’, AviationWeek & Space Technology 168, 25 Nov. 2007.

Galula, David, Counterinsurgency Warfare: Theory and Practice (New York: Praeger 1964).

Gandhi, Robin, Anup Sharma, William Mahoney, William Sousan, Qiuming Zhu and Phillip

Laplante, ‘Dimensions of Cyber Attacks’, IEEE Technology and Society Magazine (Spring2011), 28–38.

Gibbs, Jack P., ‘Deterrence Theory and Research’, in Gary Melton, Laura Nader and Richard

A. Dienstbier (eds), Law as a Behavioral Instrument (Lincoln: Univ. of Nebraska Press1986).

Giraudoux, Jean, Tiger at the Gates [La Guerre De Troie N’aura Pas Lieu], translated by

Christopher Fry (New York: Oxford University Press 1955).

Graham, Bradley, ‘Hackers attack via Chinese web sites’, Washington Post, 25 Aug. 2005.Gross, Michael Joseph, ‘A declaration of cyber-war’, Vanity Fair, April 2011.

Hayden, Michael V., ‘The Future of Things Cyber’, Strategic Studies Quarterly 5/1 (Spring 2011),

3–7.

Langner, Ralph, ‘What Stuxnet is All About’, The Last Line of Cyber Defense, 10 Jan. 2011.Langner, Ralph, ‘Matching Langner’s Stuxnet analysis and Symantec’s dossier update’, The Last

Line of Cyber Defense, 21 Feb. 2011.

Langner, Ralph, ‘Cracking Stuxnet’, TED Talk, March 2011.

Langner, Ralph, ‘A declaration of bankruptcy for US critical infrastructure protection’, The LastLine of Cyber Defense, 3 June 2011.

Laqueur, Walter, Guerrilla: A Historical and Critical Study (Boston: Little, Brown 1976).

Libicki, Martin, Cyberdeterrence and Cyberwar (Santa Monica, CA: RAND Corporation2009).

Lynn,William J., ‘Defending a New Domain’, Foreign Affairs 89/5 (2010), 97–108.

Mahnken, Thomas G., ‘Cyber War and Cyber Warfare’, in Kristin Lord and Travis Sharp (eds),

America’s Cyber Future: Security and Prosperity in the Information Age, Vol. 2, (Washington,DC: CNAS 2011), 53–62.

Markoff, John, ‘A silent attack, but not a subtle one’, New York Times, 26 Sept. 2010.

Medetsky, Anatoly, ‘KGB veteran denies CIA caused ’82 blast’, Moscow Times, 18 March 2004.

Nakashima, Ellen and Brian Krebs, ‘Contractor blamed in DHS data breaches’, Washington Post,24 Sept. 2007, p.A1.

National Transportation Safety Board, ‘Pipeline Rupture and Subsequent Fire in Bellingham,

Washington, June 10, 1999’, Pipeline Accident Report NTSB/PAR-02/02 (Washington DC,2002).

Nazario, Jose, ‘Politically Motivated Denial of Service Attacks’, in Christian Czosseck and

Kenneth Geers (eds) The Virtual Battlefield (Amsterdam/Washington DC: IOS Press 2009),

163–81.Obama, Barack, International Strategy for Cyberspace (Washington DC: White House, May

2011).

Ottis, Rain, ‘From Pitchforks to Laptops: Volunteers in Cyber Conflicts’, Conference on Cyber

Conflict Proceedings (2010).Reed, Thomas C., At the Abyss (New York: Random House 2004).

Cyber War Will Not Take Place 31

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4

Rid, Thomas and Marc Hecker, ‘The Terror Fringe’, Policy Review 158 (December/Jan. 2010), 3–

19.

Tikk, Eneken, Kadri Kaska, Kristel Runnimeri, Mari Kert, Anna-Maria Taliharm and Liis Vihul,Cyber Attacks against Georgia (Tallinn: CCDCOE 2008).

Tikk, Eneken, Kadri Kaska and Liis Vihul, International Cyber Incidents (Tallinn: CCDCOE

2010).Waxman, Matthew C., ‘Cyber-Attacks and the Use of Force’, Yale Journal of International Law

36 (2011), 421–59.

32 Thomas Rid

Dow

nloa

ded

by [

US

Arm

y W

ar C

olle

ge]

at 0

7:07

01

Oct

ober

201

4